Sharing PHI over text messages or phone calls can pose security risks if appropriate safeguards are not in place. While text messaging is not inherently HIPAA compliant, secure solutions are available. Voice calls, on the other hand, are generally considered compliant under the conduit exception. To ensure compliance, organizations must select secure communication solutions and have appropriate agreements in place with service providers.
The limitations of regular text messaging
With Americans checking their phones an average of 144 times per day, text messaging is undoubtedly a convenient way to communicate with others, but when it comes to the healthcare industry, some limitations must be considered. Under the Health Insurance Portability and Accountability Act (HIPAA), covered entities are required to protect the privacy and security of patients' protected health information (PHI).
According to the HHS, “texting patient information among members of the health care team is permissible if accomplished through a secure platform.” However, regular texting platforms, such as iMessage or WhatsApp, do not provide the necessary security measures to ensure HIPAA compliance. Access controls, audit controls, and encryption, important components of HIPAA compliance, are generally unavailable with these platforms.
Related: Texting tools and HIPAA compliance: The ultimate guide
The security risks of sharing PHI over the phone or text
When it comes to transmitting PHI electronically, various methods exist, each with different levels of security. While texting and calling may seem convenient, they present potential vulnerabilities, including a lack of access controls, audit controls, and encryption capabilities.
Under HIPAA, all PHI must be encrypted during transmission, at rest, and in storage. It is necessary to ensure that all entry points are covered to maintain compliance.
HIPAA compliant solutions for text messaging
While text messaging is not inherently HIPAA compliant, there are solutions available that meet the necessary standards. HIPAA compliant text messaging apps have gained popularity among medical practices and other healthcare organizations that require quick transmission of PHI.
These apps operate within a secure, encrypted network that complies with HIPAA regulations. Some of these apps even offer voice and video calls, as well as the ability to share files and images. This versatility allows for various types of communication while ensuring the security of PHI. Additionally, these apps often provide the option to retract or delete data in case of device theft, further safeguarding PHI.
To ensure compliance, a business associate agreement (BAA) or a business associate subcontractor agreement (BASA) must be obtained from these contractors. In the context of text messaging, the messaging app itself would fall under the purview of the BAA or BASA. You must have these agreements in place to ensure that the service provider's platform is acceptable for the transmission of ePHI.
Read also: What is a business associate agreement?
HIPAA compliance for voice calls
Unlike text messaging, voice calls are generally considered HIPAA compliant and fall under the conduit exception. The conduit exception applies to entities that transmit but do not hold any information, such as the U.S. Postal Service, internet providers, and telephone providers.
However, caution must be exercised when relaying PHI over the phone. For example, if a phone service provider offers a voicemail system that stores ePHI or records phone calls for later review, a BAA must be obtained from that provider.
When a client gives consent to be contacted by a covered entity, HIPAA rules must be respected. It is necessary to verify the client's identity by confirming specific information unique to that individual, such as the last four digits of their social security number, address, or phone number.
Related: HIPAA Conduit Exception Rule - what is it?
Paubox’s solution
Introducing Paubox Texting - a HIPAA compliant texting API for patient engagement that doesn't require recipients to download 3rd-party applications or use passcode-protected portals.
You can now send HIPAA compliant text messages directly to your recipients' mobile devices.
Why choose Paubox Texting API?
- Personalize with PHI
- Modern patient engagement
- Improved business outcomes
- Send personalized reminders
- Top-rated U.S. support
FAQs
Can WhatsApp be HIPAA compliant?
Messaging services that have a code to decrypt messages would need to sign a BAA as they have the means to access data. However, WhatsApp does not divulge if they have the means to decrypt messages therefore WhatsApp is not HIPAA compliant and cannot be used to transmit PHI.
What makes a phone HIPAA compliant?
Put simply, a phone system that's HIPAA compliant meets all the requirements that HIPAA lays out for safeguarding patient data, specifically, the aptly named privacy and security rules, which together lay out the standards for protecting ePHI.
Farah Amod
